By clicking "Accept", you agree to the storage of cookies on your device to improve website navigation, analyze website usage and support our marketing activities. For more information, please see our Privacy Policy.
Cookie Settings

Redesigning for the Consumption Era

Get the Free E-book

Last Updated: May 1, 2025

Bug Bounty Program - Overview

At MaxIQ, security is a top priority. Our Bug Bounty Program is designed to encourage responsible disclosure of security vulnerabilities and help us protect our platform, infrastructure, and users.

We invite independent security researchers to report potential vulnerabilities. Submissions must be:

  • Original (not previously reported),
  • Non-automated (not raw output from vulnerability scanners),
  • And demonstrate a real, exploitable risk to MaxIQ systems, user data, or brand integrity.

By submitting a vulnerability, you agree to the terms of this program as outlined below.

Please submit all reports to: security@getmaxiq.com

Services in scope

Domains

APIs

  • Any public API hosted under the above domains

Note: MaxIQ also uses third-party marketing, partner, and vendor-hosted domains. These are explicitly out of scope and not eligible for testing or rewards.

Vulnerabilities in Scope

We don’t maintain an exhaustive scope list, but generally, any vulnerability that significantly affects the confidentiality, integrity, or availability of MaxIQ’s systems or user data is in scope.

Examples include:

  • Stored or Reflected XSS
  • Authentication bypass or privilege escalation
  • Remote Code Execution (RCE)
  • SQL or Command Injection
  • Sensitive data exposure
  • Business logic flaws leading to account takeover or financial risk

Vulnerabilities Out of Scope

To reduce noise and focus on meaningful security risks, the following are considered out-of-scope unless shown to be exploitable:

  • Social engineering (phishing, vishing, pretexting, etc.)
  • Host header injection without clear exploitability
  • Missing or misconfigured security headers
  • Denial of Service (DoS) or brute-force rate-limit tests
  • Self-XSS or reflected XSS affecting only the reporting user
  • CSRF on login/logout pages without additional impact
  • Clickjacking and iFrame-based UI redress attacks
  • Attacks requiring jailbroken/rooted devices
  • Version disclosures without proven risk
  • Weak SSL ciphers or certificate warnings without exploitability
  • Vulnerabilities in sandbox, QA, dev, or staging environments
  • Outdated or unpatched browsers or unsupported client technologies
  • Vulnerabilities requiring user-installed browser extensions or plug-ins

Code of Conduct

To ensure a productive relationship with our security community:

Submit all related findings in a single report; avoid breaking them into multiple sequential submissions.

Include:

  • A clear description of the vulnerability and its impact
  • Full steps to reproduce the issue
  • Affected URLs, endpoints, or user flows
  • PoC (proof-of-concept) code or screenshots
  • IP addresses used during testing
  • User ID(s) used in PoC testing

Never test against other users’ accounts or attempt to access their data.

All testing should be non-disruptive, respectful, and confined to your own accounts or test data.

Prohibited Activities

To ensure a safe, respectful, and legally compliant environment for security research, you must not:

  • Spam services, endpoints or employees
  • Attempt social engineering, phishing, or impersonation of MaxIQ employees or contractors
  • Physically access MaxIQ offices, infrastructure, or data centers
  • Test third-party systems not owned or operated by MaxIQ
  • Conduct denial-of-service (DoS) or other disruptive testing

Violations may result in disqualification from the program and/or legal consequences.

Recognition & Discretionary Rewards

MaxIQ may, at its sole discretion, offer non-monetary recognition or discretionary rewards for submissions that meaningfully improve our security posture. There is no guarantee of compensation, and all decisions regarding recognition are final.

Our focus is on supporting thoughtful, responsible research—not transactional submissions.

Legal Notes & Program Terms

You may not publicly disclose any vulnerabilities or submission content without written permission from MaxIQ.

By submitting a report, you grant MaxIQ and its affiliates a perpetual, royalty-free license to use the information submitted for security and product improvement purposes.

The Bug Bounty Program may be updated, paused, or terminated at any time without notice.

Participation does not create any employment or contractor relationship with MaxIQ.

All testing must comply with applicable laws. You are responsible for understanding and following all legal requirements.

Contents

1
Services in scope
2
Vulnerabilities in Scope
3
Vulnerabilities Out of Scope
4
Code of Conduct
5
Prohibited Activities
6
Recognition & Discretionary Rewards
7
Legal Notes & Program Terms
Ready to see MaxIQ in action?
Request Demo